Yintoni umahluko phakathi kwe-http vs https? Ingcaciso ebanzi yenkqubo yoguqulelo oluntsonkothileyo lwe-SSL

Ngophuhliso olukhawulezayo lwe-Intanethi, abanye abantu benza oko bafunaIntengiso ye-Wechat,Ukunyuswa kweakhawunti yoluntu, kodwa uyakhalazaIntengiso ye-Intanethiayisebenzi, ngokweneneiindaba ezintshaEyona ndlela ingcono yokuba abantu benze ukuthengisa kwi-Intanethi kukusebenzisa iinjini zokukhangelaukukhupha amanziixabiso.

Ke ngoko, iinjini zokukhangela zezona zidumileyo kule mihlauKhuthazo lweWebhuenye yeendlela.

Ngapha koko, iinjini zokukhangela zikaGoogle kunye neBaidu zixele esidlangalaleni ukuba i-https ibandakanyiwe kwindlela yokubeka injini yokukhangela.

ngakumbiEzorhweboKwiiwebhusayithi, kucetyiswa ukuba usebenzise i-https ye-encryption protocol, engancedi nje ukuphucula umgangatho, kodwa inceda abasebenzisi ukuba bafumane iwebhusayithi ngokukhuselekileyo.

Iprotocol ye-Hypertext Transfer Protocol isetyenziselwa ukudlulisa ulwazi phakathi kwesikhangeli sewebhu kunye neseva yewebhu.I-HTTP protocol ithumela umxholo obhalwe ngokucacileyo kwaye ayinikezeli naluphi na uhlobo lofihlo lwedatha.Ukuba umhlaseli uthintele unxibelelwano phakathi kwesikhangeli sewebhu kunye neseva yewebhu Ke ngoko, iHTTP Iprothokholi ayifanelekanga ukuhambisa ulwazi oluthile olubuthathaka, olufana nenombolo yekhadi letyala, igama lokugqitha kunye nolunye ulwazi lwentlawulo.

Ukuze kusonjululwe esi siphene somthetho we-HTTP, kufuneka kusetyenziswe enye iprotocol: iprotocol ekhuselekileyo ye-socket hypertext transfer protocol HTTPS. Ukhuseleko losasazo lwedatha, iHTTPS yongeza iSSL protocol kwiHTTP, kwaye iSSL ixhomekeke kwizatifikethi zokuqinisekisa umncedisi, kwaye ufihla unxibelelwano phakathi kwesikhangeli kunye nomncedisi.

XNUMX. Iingcamango ezisisiseko ze-HTTP kunye ne-HTTPS

I-HTTP: yeyona ndlela isetyenziswayo yothungelwano iprothokholi kwi-Intanethi.Licala lomxhasi kunye nesicelo secala lomncedisi kunye nomgangatho wokuphendula (TCP), osetyenziselwa ukuthumela i-hypertext ukusuka kumncedisi weWWW ukuya kwisikhangeli sasekhaya.Umncedisi ungaphezulu esebenzayo, ekhokelela kugqithiso lwenethiwekhi olumbalwa.

I-HTTPS: Ingumjelo okhuselekileyo we-HTTP.Ngokufutshane, inguqu ekhuselekileyo ye-HTTP, oko kukuthi, ukongeza i-SSL layer kwi-HTTP.Isiseko sokhuseleko se-HTTPS yi-SSL, ngoko umxholo ocacileyo wokubethelwa ufuna i-SSL.

Imisebenzi ephambili yeprotocol yeHTTPS inokwahlulwa ibe ziindidi ezimbini: enye kukuseka ijelo lokhuseleko lolwazi ukuqinisekisa ukhuseleko lokuhanjiswa kwedatha; enye kukuqinisekisa ubunyani bewebhusayithi.

XNUMX. Uthini umahluko phakathi kweHTTP kunye neHTTPS?

Idatha egqithiswe yi-HTTP protocol ayifihlwanga, oko kukuthi, kumbhalo ocacileyo.Ke ngoko, akukhuselekanga kakhulu ukusebenzisa iprotocol yeHTTP ukuhambisa ulwazi lwabucala.Ukuqinisekisa ukuba ezi datha zabucala zinokuguqulelwa ngokuntsonkothileyo kwaye zidluliselwe, iNetscape yela iSSL. (Ukhuseleko lweeSokethi) iprothokholi yeHTTPS yazalelwa ukufihla idatha ethunyelwa ngeprotocol yeHTTP.

Ukubeka nje, i-protocol ye-HTTPS yi-protocol yenethiwekhi eyakhiwe yi-SSL + HTTP protocol enokwenza ukuhanjiswa kwe-encrypted kunye nokuqinisekiswa kwesazisi, kwaye ikhuseleke ngakumbi kuneprotocol ye-http.

Umahluko omkhulu phakathi kwe-HTTPS kunye ne-HTTP umi ngolu hlobo lulandelayo:

• 1. Inkqubo ye-https kufuneka iye kwi-ca ukufaka isicelo sesatifikethi. Ngokubanzi, zimbalwa izatifikethi zasimahla, ngoko ke kufuneka umrhumo othile.
• 2. I-http yi-protocol yokudluliselwa kwe-hypertext, ulwazi luhanjiswa ngokubhaliweyo okucacileyo, kwaye i-https yi-protocol yokudlulisa efihliweyo ye-ssl.
• 3. I-http kunye ne-https zisebenzisa iindlela zokudibanisa ezihluke ngokupheleleyo kunye namazibuko ahlukeneyo.Iyangaphambili yi-80 kwaye yokugqibela yi-443.
• 4. Uqhagamshelo lwe-http lulula kakhulu kwaye alunasimo, inkqubo ye-HTTPS yiprotocol yenethiwekhi eyakhiwe yi-SSL+HTTP protocol enokwenza ugqithiso oluntsonkothileyo kunye noqinisekiso lwesazisi, olukhuselekileyo kuneprotocol ye-http.

XNUMX. Inkcazo eneenkcukacha yeHTTPS kunye ne-SSL encryption inkqubo

Sonke siyazi ukuba i-HTTPS inokufihla ulwazi ukuthintela ulwazi olubuthathaka ukuba lungafunyanwa ngabantu besithathu, ngoko ke iiwebhusayithi ezininzi zebhanki okanye ii-imeyile kunye nezinye iinkonzo ezinamazinga aphezulu okhuseleko ziya kusebenzisa i-HTTPS protocol.

1. Umxhasi uqalisa isicelo se-HTTPS

Oku akukho nto ithi, oko kukuthi, umsebenzisi ungena kwi-URL ye-https kwisiphequluli, aze adibanise kwi-port 443 yomncedisi.

2. Ubumbeko lweseva

Umncedisi osebenzisa i-HTTPS protocol kufuneka abe neseti yezatifikethi zedijithali, ezinokuthi zenziwe nguwe okanye zisetyenziswe kumbutho.Umahluko kukuba isatifikethi esikhutshwe nguwe kufuneka siqinisekiswe ngumxhasi ngaphambi kokuba siqhubeke nokufikelela, ngelixa. Isiqinisekiso esisetyenziswe yinkampani ethembekileyo asikho.Iphepha elikhawulezayo liya kuvela.

Esi seti yezatifikethi ngenene sisitshixo sikawonke-wonke kunye nesitshixo sabucala.Ukuba awusiqondi isitshixo sikawonke-wonke kunye nesitshixo sabucala, ungasicingela njengesitshixo kunye nesitshixo, kodwa nguwe wedwa umntu ehlabathini oye wafumana isitshixo kunye nesitshixo sabucala. esisitshixo uyakwazi ukusitshixa intloko kwabanye, abanye bangasebenzisa esi sitshixo ukutshixa izinto ezibalulekileyo baphinde basithumele kuwe ngoba nguwe wedwa onaso esi sitshixo sodwa ubona izinto ezitshixwayo ngesitshixo.

3. Thumela isatifikethi

Esi satifikethi ngenene sisitshixo sikawonke-wonke, kodwa siqulethe ulwazi oluninzi, olufana nogunyaziwe wesatifikethi, ixesha lokuphelelwa, njalo njalo.

4. Isatifikethi sokwahlulahlula umxumi

Le nxalenye yomsebenzi wenziwa yi-TLS yomxhasi.Kuqala, iya kuqinisekisa ukuba isitshixo sikawonke-wonke sivumelekile na, njengegunya elikhuphayo, ixesha lokuphelelwa, njl njl. kukho ingxaki ngesatifikethi.

Ukuba akukho ngxaki ngesatifikethi, ngoko velisa ixabiso elingenamkhethe, kwaye ngoko ufihle ixabiso elingalindelekanga kunye nesatifikethi, njengoko kukhankanyiwe ngasentla, tshixa ixabiso elingalindelekanga ngesitshixo, ukuze ngaphandle kokuba kukho isitshixo, awukwazi ukubona sitshixiwe. ixabiso umxholo.

5. Ukuhanjiswa kolwazi oluntsonkothileyo

Le ndawo ithumela ixabiso elingaqhelekanga elifihliweyo kunye nesatifikethi Injongo kukuvumela umncedisi afumane eli xabiso lingenamkhethe, kwaye ke unxibelelwano phakathi komxhasi kunye nomncedisi unokuguqulelwa ngokuntsonkothileyo kwaye uguqulelwe ngokuntsonkothileyo ngeli xabiso lingenamkhethe.

6. Ulwazi lwecandelo lenkonzo lokuguqulelwa kwingcaciso

Emva kokuba umncedisi ecocile ngeqhosha labucala, ufumana ixabiso elingenamkhethe (iqhosha labucala) elithunyelwe ngumxhasi, kwaye emva koko uguqulela umxholo ngokulinganayo ngexabiso.Ngale ndlela, ngaphandle kokuba iqhosha labucala liyaziwa, umxholo awunakufunyanwa, kwaye bobabini umxhasi kunye nomncedisi bayalazi isitshixo sabucala, ukuba nje i-algorithm yoguqulelo oluntsonkothileyo yomelele ngokwaneleyo kwaye isitshixo sabucala sintsokothile ngokwaneleyo, idatha ikhuselekile ngokwaneleyo.

7. Ukuhanjiswa kolwazi oluntsonkothileyo

Le nxalenye yolwazi lulwazi olufihliweyo ngesitshixo sabucala secandelo lenkonzo kwaye inokubuyiselwa kwicala lomxhasi.

8. Ulwazi lokuguqulelwa kwikhowudi yomthengi

Umxhasi ususa ukuntsonkotha kolwazi oluthunyelwe licandelo lenkonzo ngesitshixo sabucala esenziwe ngaphambili, aze ngaloo ndlela afumane umxholo okhutshiweyo.Nokuba umntu wesithathu ebeka iliso kwidatha ngexesha lenkqubo yonke, akuncedi.

Okwesine, isimo sengqondo seenjini zokukhangela kwi-HTTPS

I-Baidu isungule isiza esigcweleyo senkonzo yokukhangela efihliweyo ye-HTTPS ukusombulula "iqela lesithathu" ukufunxa kunye nokuqweqwedisa ubumfihlo bomsebenzisi. Enyanisweni, ngoMeyi ka-2010, uGoogle waqala ukubonelela ngenkonzo yokukhangela efihliweyo ye-HTTPS, erhubuluza kumaphepha ewebhu e-HTTPS. umba, uBaidu wathi kwisibhengezo ngoSeptemba 5 ukuba "i-Baidu ayiyi kukhwela ngokusebenzayo amaphepha ewebhu e-HTTPS", ngelixa i-Google ichazwe kuhlaziyo lwe-algorithm ukuba "phantsi kweemeko ezifanayo, iisayithi ezisebenzisa i-HTTPS iteknoloji yokubethela iya kuba nemigangatho engcono yokukhangela. I-Advantage".

Ke, kule ndawo inkulu, ngaba ii-webmasters kufuneka zamkele "ingozi" ye-HTTPS protocol? I-HTTPS yeenjini zokukhangelaseoKuthekani ngempembelelo?

1. Isimo sengqondo sikaGoogle

Isimo sengqondo sikaGoogle malunga nokubandakanywa kweendawo ze-HTTPS azifani neendawo ze-HTTP, kwaye ithatha "nokuba usebenzisa i-encryption ekhuselekileyo" (HTTPS) njengento yokubhekisela kwi-algorithm yokukhangela. Kukho amathuba amaninzi okubonisa, kwaye umgangatho ukwanenzuzo ngakumbi kuneendawo ze-HTTP zeesayithi ezifanayo.

Kwaye i-Google icacise ukuba "ithemba ukuba bonke abaphathi bewebhu baya kukwazi ukusebenzisa i-protocol ye-HTTPS endaweni ye-HTTP", ebonisa ukuzimisela kwayo ukufezekisa injongo ye "HTTPS kuyo yonke indawo".

2. Isimo sengqondo sikaBaidu

Ngaphambili, itekhnoloji ye-Baidu ibisemva ngokwentelekiso, isithi "ayizukurhubuluza ngokukhutheleyo amaphepha e-https", kodwa "yayinexhala" malunga "namaphepha amaninzi e-https awanakubandakanywa." Kude kube ngoSeptemba 2014, 9, u-Baidu waxoxa "Indlela yokwenza ukwakha iisayithi ze-https ukuphumeza injongo". Inqaku lapapashwa kumba othi "Friendly to Baidu", ukunika iingcebiso ezine kunye neentshukumo ezithile "zokuphucula i-Baidu-friendlyness ye-https sites":

1. Yenza iinguqulelo ze-http zifikeleleke kumaphepha e-https afuna ukuboniswa yi-injini yokukhangela ye-Baidu.

2. Gweba undwendwe ngokusebenzisa iarhente yomsebenzisi, kwaye usete BaiI-duspider ibhekiswa kwiphepha le-http. Xa abasebenzisi abaqhelekileyo bendwendwela iphepha nge-injini yokukhangela ye-Baidu, baya kuthunyelwa kwakhona kwiphepha elihambelanayo le-https ukuya ku-301.Njengoko kubonisiwe kulo mfanekiso, lo mfanekiso ungasentla ubonisa inguqulelo ye-http ebandakanyiweyo kwi-Baidu, kwaye umfanekiso ongezantsi ubonisa ukuba abasebenzisi baya kuzitsibela ngokuzenzekelayo kwinguqulelo ye-https emva kokucofa.

3. I-http version ayenzelwanga kuphela iphepha lasekhaya, amanye amaphepha abalulekileyo kufuneka enze i-http version kunye nekhonkco omnye komnye Musa ukwenza oku: ikhonkco kwiphepha lasekhaya le-http lisaxhunyaniswa kwiphepha le-https, eyenza ukuba i-Baiduspider ingakwazi ukuqhubeka irhubuluza—— Sidibene nemeko enjalo ukuba singaquka kuphela iphepha elinye lasekhaya lesiza siphela.

4. Esinye isiqulatho esingafunekiyo sibethelelwe, esifana nolwazi, sinokuthwalwa ligama lesizinda senqanaba lesibini.umzekeloAlipayIsayithi, umxholo ofihliweyo ongundoqo ubekwe kwi-https, umxholo onokuthi ubanjwe ngokuthe ngqo yi-Baiduspider ubekwe kwigama lesizinda sesibini.

Ngokovavanyo lwe-Computer Science House kwikhonkco elingezantsi, kuthatha i-114 milliseconds ukuseka uxhumano lwe-HTTP; kuthatha i-436 milliseconds ukuseka uxhumano lwe-HTTPS, kunye ne-322 milliseconds yecandelo le-SSL, kubandakanywa ukulibaziseka kwenethiwekhi kunye nokugqithisa. yoguqulelo oluntsonkothileyo kunye noguqulelo oluntsonkothileyo lwe SSL ngokwayo (umncedisi usekwe kulwazi lomxhasi) Gqiba ukuba iqhosha lenkosi elitsha lifuna ukwenziwa; umncedisi uphendula kwisitshixo esikhulu kwaye ibuyisela umyalezo oqinisekisiweyo ngesitshixo esikhulu kumxhasi. ;umncedisi ucela umxhasi umsayino wedijithali kunye nesitshixo sikawonke-wonke).

XNUMX. Zingakanani izixhobo ezisetyenziswa yiHTTPS kuneHTTP?

I-HTTPS ngenene yi-HTTP protocol eyakhelwe phezulu kwe-SSL/TLS.Ke ngoko, ukuthelekisa ukuba zininzi kangakanani izixhobo zeseva ezisetyenziswa yiHTTPS kuneHTTP,Chen WeiliangNdicinga ukuba ubukhulu becala kuxhomekeke kubungakanani bemithombo yomncedisi esetyenziswa yi-SSL/TLS ngokwayo.

I-HTTP isebenzisa i-TCP yeendlela ezintathu zokubambisana ukuseka uxhulumaniso, kwaye umxhasi kunye nomncedisi kufuneka batshintshe iipakethi ze-3;

Ukongeza kwiipakethi ezintathu ze-TCP, i-HTTPS yongeza iipakethi ze-9 ezifunekayo kwi-handshake ye-ssl, ngoko kukho iipakethi ze-12 zizonke.

Emva kokuba uqhagamshelo lwe-SSL lusekiwe, indlela elandelayo yoguqulelo oluntsonkothileyo iba yindlela yofihlo olulingeneyo efana ne-3DES, enomthwalo we-CPU olula.Xa kuthelekiswa ne-asymmetric encryption method xa udibaniso lwe-SSL lusekiwe, umthwalo we-symmetric encryption method on the CPU. , ngoko ke ingxaki iyeza Ukuba uphinda uyakhe iseshoni ye-ssl rhoqo, impembelelo ekusebenzeni komncedisi iya kuba yingozi.Nangona ukuvula i-HTTPS gcina-iphila kunokunciphisa ingxaki yokusebenza koxhulumaniso olunye, ayilungelanga iiwebhusayithi ezinkulu ezinenani elikhulu labasebenzisi abasebenzisanayo , i-proxy ezimeleyo yokupheliswa kwe-SSL esekwe ekwabelweni komthwalo ibalulekile Inkonzo yeWebhu ibekwe emva kwe-SSL yokuphelisa ummeli. okanye inokusekelwe kuyo软件Ewe, umzekelo, iWikipedia isebenzisa iNginx.

Emva kokwamkela i-HTTPS, zingaphi na ezinye izixhobo zeseva eziza kusetyenziswa, ngoJanuwari 2010inboxUkutshintshela ekusebenziseni ngokupheleleyo i-HTTPS, umthwalo we-CPU we-front-end processing umatshini we-SSL awuyi kwanda ngaphezu kwe-1%, ukusetyenziswa kwememori yoqhagamshelwano ngalunye kuya kuba ngaphantsi kwe-20KB, kwaye i-traffic yenethiwekhi iya kwanda ngaphantsi kwe-2% Njengoko i-Gmail kufuneka isebenzise iiseva ze-N kuqhubekeko olusasazwayo, ngoko ke Umthwalo wedatha we-CPU awunakubaluleka kakhulu kwireferensi. Ukusetyenziswa kwememori kunye nedatha yetrafikhi yenethiwekhi yoqhagamshelwano ngalunye lubalulekile. Eli nqaku likwadwelisa ukuba undoqo omnye uphatha malunga ne-1500 yokuxhawula izandla. ngesekhondi (ye-1024-bit RSA) ), le datha inolwazi kakhulu.

XNUMX. Izinto eziluncedo zeHTTPS

Kungenxa yokuba i-HTTPS ikhuseleke kakhulu ukuba abahlaseli abanakufumana indawo yokuqalisa.Ngokwembono yee-webmasters, inzuzo ye-HTTPS ilandelayo:

1. Imiba ye-SEO

UGoogle ulungelelanise i-algorithm ye-injini yokukhangela ngo-Agasti ka-2014, esithi "isayithi efihliweyo nge-HTTPS iya kubeka phezulu kwiziphumo zophando kunesayithi elilinganayo le-HTTP".

2. Ukhuseleko

Nangona i-HTTPS ingakhuselekanga ngokupheleleyo, imibutho elawula izatifikethi zeengcambu kunye nemibutho enobuchule bokufihla i-algorithms inokuqhuba uhlaselo lomntu phakathi, kodwa i-HTTPS isesona sisombululo sikhuselekileyo phantsi koyilo lwangoku, kunye nezi zibonelelo zilandelayo:

(1) Sebenzisa i-HTTPS protocol ukuqinisekisa abasebenzisi kunye neeseva ukuqinisekisa ukuba idatha ithunyelwa kumxhasi ochanekileyo kunye nomncedisi;

(2) Iprotocol yeHTTPS yiprotocol yothungelwano eyakhiwe yiSSL+HTTP protocol enokwenza ugqithiso olufihliweyo kunye nokuqinisekiswa kwesazisi.Ikhuselekile kuneprotocol ye-http, enokuthintela ukubiwa kwedatha ekubiweni nasekutshintshweni ngexesha lenkqubo yokuhambisa kunye nokuqinisekisa ukuba imfezeko yedatha.

(3) I-HTTPS sesona sisombululo sikhuselekile phantsi kolwakhiwo lwangoku.Nangona ingakhuselekanga ngokupheleleyo, inyusa kakhulu iindleko zokuhlaselwa komntu phakathi.

XNUMX. Ukungalungi kweHTTPS

Nangona i-HTTPS ineenzuzo ezinkulu, isenazo iintsilelo.Ngokukodwa, kukho la manqaku mabini alandelayo:

1. Imiba ye-SEO

Ngokutsho kwedatha ye-ACM ye-CoNEXT, ukusebenzisa i-protocol ye-HTTPS kuya kwandisa ixesha lokulayisha iphepha malunga ne-50% kunye nokwandisa ukusetyenziswa kwamandla nge-10% ukuya kwi-20%. , kwaye kwanaManyathelo okhuseleko akhoyo nawo aya kuchaphazeleka kwaye aya kuchaphazeleka ngokufanelekileyo.

Ngapha koko, umda wokufihlakala kwe-HTTPS protocol ulinganiselwe, kwaye ayidlali nayiphi na indima kuhlaselo lwe-hacker, ukwaliwa kohlaselo lwenkonzo, kunye nokuqweqwedisa iseva.

Okona kubaluleke kakhulu, inkqubo ye-credit chain yezatifikethi ze-SSL ayikhuselekanga, ngakumbi xa amanye amazwe ekwazi ukulawula isatifikethi sengcambu ye-CA, uhlaselo lomntu ophakathi lunokwenzeka.

2. Imiba yezoqoqosho

(1) Izatifikethi ze-SSL zidinga imali.Isatifikethi sinamandla ngakumbi, ixabiso eliphezulu.Iiwebhusayithi zomntu zingasebenzisa izatifikethi ze-SSL zamahhala.

(2) Izatifikethi ze-SSL zihlala zifuna ukubotshwa kwi-IP, kwaye amagama amaninzi e-domain awakwazi ukubophelela kwi-IP efanayo. Izixhobo ze-IPv4 azikwazi ukuxhasa oku kusetyenziswa (i-SSL inezandiso ezinokusombulula ngokuyinxenye le ngxaki, kodwa inzima kwaye ifuna iziphequluli, ukusebenza Inkxaso yenkqubo, iWindows XP ayiluxhasi olu lwandiso, ngokuqwalasela isiseko esifakiweyo se-XP, eli nqaku liphantse lingenamsebenzi).

(3) Uxhumo lwe-HTTPS lwe-caching alusebenzi njenge-HTTP, kwaye iiwebhsayithi ze-traffic eziphezulu aziyi kuyisebenzisa ngaphandle kokuba kuyimfuneko, kwaye iindleko zezithuthi ziphezulu kakhulu.

(4) Uxhulumaniso lwe-HTTPS luthatha izixhobo ezininzi kwicala lomncedisi, kwaye ukuxhasa iiwebhusayithi ezineendwendwe ezincinci zifuna iindleko eziphezulu.Ukuba yonke i-HTTPS isetyenzisiweyo, ixabiso eliqhelekileyo le-VPS lisekelwe kwingcinga yokuba uninzi lwezixhobo zekhompyutha ungenzi nto uya kunyuka.

(5) Isigaba sokuxhawula isandla seprotocol yeHTTPS sichitha ixesha kwaye sinefuthe elibi kwisantya esihambelanayo sewebhusayithi Ukuba akukho mfuneko, akukho sizathu sokubingelela amava omsebenzisi.

XNUMX. Ngaba i-website ifuna ukufihlwa nge-HTTPS?

Nangona i-Google kunye ne-Baidu zombini "zijonge i-HTTPS ngokwahlukileyo", oku akuthethi ukuba abaphathi bewebhu kufuneka baguqule i-protocol yewebhusayithi kwi-HTTPS!

Okokuqala, makhe sithethe ngeGoogle.Nangona uGoogle ehlala egxininisa ukuba "iiwebhusayithi ezisebenzisa itekhnoloji ye-HTTPS encryption ingafumana amanqanaba angcono", ayinakukhutshelwa ngaphandle ukuba le "injongo engaphaya".

Abahlalutyi bamazwe angaphandle bakhe bathi xa bephendula lo mba: isizathu sokuba uGoogle enze le ntshukumo (ukuhlaziya i-algorithm, nokuba usebenzisa itekhnoloji yokufihla iHTTPS njengesalathiso somgangatho wenjini yokukhangela) isenokungabi kukuphucula amava okukhangela omsebenzisi kunye ne-Intanethi. umba wokhuseleko kukubuyisela nje "ilahleko" kwihlazo le "Prism Gate". Le yintshukumo eqhelekileyo yokuzinqwenela phantsi kwebhena "yokuncama i-ego", ebambe phezulu ibhanile ye "Security Impact Ranking" kunye nokucula "HTTPS yonke indawo" ” isilogeni, kwaye ngaphandle komzamo uvumele uninzi lwabaphathi bewebhu ngokuzithandela bajoyine inkampu ye-HTTPS yeprotocol.

Ukuba iwebhusayithi yakho yekaEzorhwebo/WechatKwimimandla yamaqonga, imali, inethiwekhi yoluntu, njl., Kungcono ukusebenzisa iprotocol yeHTTPS; ukuba yindawo yeblogi, indawo yokuthengisa, indawo yolwazi ehleliweyo, okanye indawo yeendaba, ungasebenzisa i-SSL yasimahla. isatifikethi.

XNUMX. Umphathi wewebhu uyakha njani indawo ye-HTTPS?

Xa kuziwa kulwakhiwo lweesayithi ze-HTTPS, kufuneka sikhankanye iprotocol ye-SSL.I-SSL yiprothokholi yokuqala yokhuseleko yothungelwano eyamkelwa yi-Netscape.Yinkqubo yokhuseleko ephunyezwe kwi-Transmission Communication Protocol (TCP/IP), kusetyenziswa iteknoloji yesitshixo sikawonke-wonke. , I-SSL ixhasa ngokubanzi iintlobo ezahlukeneyo zothungelwano, ngelixa zibonelela ngeenkonzo ezintathu zokhuseleko ezisisiseko, zonke zisebenzisa iteknoloji ebalulekileyo yoluntu.

Xa kuziwa kulwakhiwo lweesayithi ze-HTTPS, kufuneka sikhankanye iprotocol ye-SSL.I-SSL yiprothokholi yokuqala yokhuseleko yothungelwano eyamkelwa yi-Netscape.Yinkqubo yokhuseleko ephunyezwe kwi-Transmission Communication Protocol (TCP/IP), kusetyenziswa iteknoloji yesitshixo sikawonke-wonke. , I-SSL ixhasa ngokubanzi iintlobo ezahlukeneyo zothungelwano, ngelixa zibonelela ngeenkonzo ezintathu zokhuseleko ezisisiseko, zonke zisebenzisa iteknoloji ebalulekileyo yoluntu.

1. Indima ye-SSL

(1) Qinisekisa abasebenzisi kunye neeseva ukuqinisekisa ukuba idatha ithunyelwa kumxumi kunye nomncedisi ochanekileyo;

(2) Fihla idatha yokukhusela idatha ekubiweni phakathi;

(3) Gcina ingqibelelo yedatha kwaye uqinisekise ukuba idatha ayitshintshi ngexesha lokuhambisa.

Isatifikethi se-SSL sibhekisa kwifayile yedijithali eqinisekisa ubuni bawo omabini amaqela kunxibelelwano lwe-SSL.Yohlulwe ngokubanzi kwisatifikethi somncedisi kunye nesatifikethi somthengi.Isatifikethi se-SSL siqhele ukuthi sibhekisa ikakhulu kwisatifikethi somncedisi.Isatifikethi se-SSL si ikhutshwe ligunya elithembekileyo lesatifikethi sedijithali i-CA. (efana ne-VeriSign, GlobalSign, WoSign, njl.), ekhutshwe emva kokuqinisekisa isazisi somncedisi, kunye noqinisekiso lweseva kunye nemisebenzi yothunyelo lothutho lwedatha, eyahlulahlulwe kwiSatifikethi se-SSL Esandisiweyo, Ukuqinisekiswa koMbutho (OV) isatifikethi se-SSL, kunye nohlobo loqinisekiso lwegama lesizinda (DV) isatifikethi se-SSL.

2. Amanyathelo ama-3 aphambili okufaka isicelo sesatifikethi se-SSL

Kukho amanyathelo amathathu aphambili okufaka isicelo sesatifikethi se-SSL:

(1), yenza ifayile ye-CSR

Into ebizwa ngokuba yi-CSR yifayile yesicelo seSatifikethi esiKhuselekileyo seSicelo esiveliswe ngumfaki-sicelo.Ngexesha lenkqubo yokuvelisa, inkqubo iya kuvelisa izitshixo ezibini, esinye sisitshixo sikawonke-wonke, esiyifayile ye-CSR, kwaye enye isitshixo sabucala, egcinwe kumncedisi.

Ukwenza iifayile ze-CSR, abafaki zicelo banokubhekisela kwi-WEB SERVER amaxwebhu, i-APACHE ngokubanzi, njl., sebenzisa umgca womyalelo we-OPENSSL ukuvelisa iifayile ze-KEY + CSR2, i-Tomcat, i-JBoss, i-Resin, njl. sebenzisa i-KEYTOOL ukuvelisa iifayile ze-JKS kunye ne-CSR, i-IIS idala. izicelo ezilindileyo kunye nefayile ye CSR.

(2), isiqinisekiso se-CA

Ngenisa i-CSR kwi-CA, kwaye i-CA ngokubanzi ineendlela ezimbini zokuqinisekisa:

① Uqinisekiso lwegama lesizinda: Ngokubanzi, ibhokisi yeposi yomlawuli iqinisekisiwe. Le ndlela iyakhawuleza, kodwa isatifikethi esikhutshiweyo asinalo igama leshishini.

②、Isiqinisekiso soxwebhu lweshishini: Ilayisensi yeshishini yeshishini kufuneka ibonelelwe, ethatha ngokubanzi iintsuku ezi-3-5 zokusebenza.

Kukwakho nezatifikethi ezifuna ukungqinisisa ezi ndlela zimbini zingentla ngaxeshanye, ebizwa ngokuba sisatifikethi se-EV. Esi satifikethi sinokwenza ibha yedilesi yebhrawuza ngaphezulu kwe-IE2 ijike ibe luhlaza, ngoko ke uqinisekiso lukwalelona lingqongqo.

(3), ukufakwa kwesiqinisekiso

Emva kokufumana isatifikethi kwi-CA, ungafaka isatifikethi kumncedisi Ngokubanzi, ifayile ye APACHE ikhuphela ngokuthe ngqo i KEY+CER kwifayile, emva koko ilungise ifayile yeHTTPD.CONF, TOMCAT, njl., kufuneka ungenise isatifikethi CER ifayile ekhutshwe yi CA kwifayile ye JKS, yikopishe kumncedisi, kwaye emva koko ulungise iSERVER.XML IIS ifuna ukuqhubekeka nesicelo esilindileyo kwaye ingenise ifayile ye CER.

XNUMX. Ingcebiso yesatifikethi sasimahla se-SSL

Ukusebenzisa isatifikethi se-SSL akunakuqinisekisa kuphela ukhuseleko lolwazi, kodwa nokuphucula ukuthembela komsebenzisi kwiwebhusayithi, kodwa ngokujongaukwakha iwebhusayithiUkuqwalasela iindleko, abaninzi bee-webmasters badimazekile kuyo. I-intanethi ikhululekile kwi-intanethi ihlala iyimarike engayi kuphinda iphume kwisitayile. Kukho indawo yokusingatha simahla, kwaye izatifikethi ze-SSL zikhululekile ngokwemvelo. Ngaphambili, kwaxelwa ukuba iMozilla, Cisco, Akamai , IdenTrust, EFF, kunye nabaphandi kwiYunivesithi yaseMichigan baya kuqalisa iprojekthi ye-Let Encrypt CA, eceba ukubonelela ngezatifikethi ze-SSL zamahhala kunye neenkonzo zolawulo lwesatifikethi kwiiwebhusayithi eziqala ngeli hlobo (qaphela: ukuba ufuna izatifikethi ezinzima ezingaphezulu, uya kufuneka uhlawule), kwaye ngexesha elifanayo , kwaye kwakhona kunciphisa ubunzima bofakelo lwesatifikethi, oluthatha imizuzwana engama-20-30 kuphela.

Idla ngokuba ziiwebhusayithi ezinkulu neziphakathi ezifuna izatifikethi ezintsonkothileyo, kwaye iisayithi ezincinci ezinjengeebhlog zobuqu zinokuzama izatifikethi zasimahla ze-SSL kuqala.

Apha ngezantsi kukhoChen WeiliangIbhlog iya kukwazisa kwizatifikethi ezininzi zasimahla ze-SSL, ezinje: CloudFlare SSL, NameCheap, njl.

1. CloudFlare SSL

I-CloudFlare yiwebhusayithi yase-United States ebonelela ngeenkonzo ze-CDN.Inayo indawo ye-CDN yeseva yayo kwihlabathi jikelele.Iinkampani ezininzi ezinkulu okanye iiwebhusayithi ekhaya naphesheya zisebenzisa iinkonzo zeCDN zeCloudFlare.Kakade,ezona zisetyenziswa kakhulu ngabaphathi bewebhu basekhaya basekhaya. yi-CDN ye-CloudFlare yasimahla, khawulezisa Ikwalungile kakhulu.Isiqinisekiso sasimahla se-SSL esinikwe nguCloudFlare yi-UniversalSSL, oko kukuthi, i-SSL yehlabathi jikelele.Abasebenzisi banokusebenzisa isatifikethi se-SSL ngaphandle kokufaka isicelo kunye nokuqwalasela isatifikethi kugunyaziwe wesatifikethi.I-CloudFlare ibonelela nge-SSL ye-SSL. i-encryption kubo bonke abasebenzisi (kubandakanywa nabasebenzisi bamahhala), ujongano lwewebhu Isatifikethi sisekwe ngaphakathi kwemizuzu emi-5, kwaye ukuthunyelwa ngokuzenzekelayo kugqitywe kwiiyure ze-24, ukubonelela ngenkonzo ye-TLS ye-encryption esekelwe kwi-Elliptic Curve Digital Signature Algorithm (ECDSA) ye-traffic website.

2. NameCheap

I-NameCheap yinkampani ehamba phambili yokubhaliswa kwegama le-domain ye-ICANN kunye nenkampani yokubamba iwebhusayithi, esungulwe kwi-2000, inkampani inikeza isisombululo se-DNS samahhala, ukuthunyelwa kwe-URL (inokufihla i-URL yasekuqaleni, inkxaso ye-301 redirection) kunye nezinye iinkonzo, ngaphezu koko, i-NameCheap inikezela Iminyaka yesatifikethi se-SSL yenkonzo yasimahla.

3. Masi Fihla

Masifihlele yiprojekthi edumileyo yokukhutshwa kwesatifikethi se-SSL kutshanje. Masibhalele yiprojekthi yasimahla nesimahla yentlalontle yoluntu ebonelelwa yi-ISRG, ekhupha izatifikethi ngokuzenzekelayo, kodwa isatifikethi sisebenza iintsuku ezingama-90 kuphela.Ilungele ukusetyenziswa komntu okanye ukusetyenziswa okwethutyana, akusekho mfuneko yokuba unyamezele ukukhawuleza ukuba izatifikethi ezizisayinileyo azithenjwa ngabakhangeli.

inyaniso,Chen WeiliangIbhlog ikwaceba ukusebenzisa Masi Fihla kutshanje ^_^

Masibhale kwisifundo sasimahla sesicelo sesatifikethi se-SSL, nceda ubhekisele kweli nqaku ngeenkcukacha:"UUngasifaka njani isicelo seLet Encrypting"U